A Formal Security Analysis of the Signal Messaging Protocol Extended Version, November 2017y Katriel Cohn-Gordon∗, Cas Cremers∗, Benjamin Dowlingy, Luke Garratt∗, Douglas Stebilaz [email protected] ∗University of Oxford, UK [email protected] [email protected] yRoyal Holloway, University of London, UK [email protected] zMcMaster University, Canada [email protected] Abstract Signal is a new security protocol and accompanying app that provides end-to-end encryption for instant messaging. The core protocol has recently been adopted by WhatsApp, Facebook Messenger, and Google Allo among many others; the first two of these have at least 1 billion active users. Signal includes several uncommon security properties (such as “future secrecy” or “post-compromise security”), enabled by a novel technique called ratcheting in which session keys are updated with every message sent. Despite its importance and novelty, there has been little to no academic analysis of the Signal protocol. We conduct the first security analysis of Signal’s Key Agreement and Double Ratchet as a multi-stage key exchange protocol. We extract from the implementation a formal description of the abstract protocol, and define a security model which can capture the “ratcheting” key update structure. We then prove the security of Signal’s core in our model, demonstrating several standard security properties. We have found no major flaws in the design, and hope that our presentation and results can serve as a starting point for other analyses of this widely adopted protocol. 1. Introduction Revelations about mass surveillance of communications have made consumers more privacy-aware. In response, scientists and developers have proposed techniques which can provide security for end users even if they do not fully trust the service providers. For example, the popular messaging service WhatsApp was unable to comply with Brazilian government demands for users’ plaintext messages [15] because of its end-to-end encryption. Early instant messaging systems did not provide much security. While some systems did encrypt traffic between the user and the service provider, the service provider retained the ability to read the plaintext of users’ messages. Off-the-Record Messaging [16, 29] was one of the first security protocols for instant messaging: acting as a plugin to a variety of instant messaging applications, users could authenticate each other using public keys or a shared secret passphrase, and obtain end-to-end confidentiality and integrity. One novel feature of OTR was its fine-grained key freshness: along with each message round trip, users established a fresh ephemeral Diffie–Hellman (DH) shared secret. Since it was not possible to work backward from a later state to an earlier state and decrypt past messages, this technique became known as ratcheting; in particular, asymmetric ratcheting since it involves asymmetric (public key) cryptography. OTR saw relatively limited adoption, but its ratcheting technique can be seen in modern security protocols. Perhaps the first secure instant message protocol to achieve widespread adoption was Apple’s iMessage, a proprietary protocol that provides end-to-end encryption. A notable characteristic of iMessage is that it automatically manages the distribution of users’ long-term keys, and in particular (as of this writing) users have no interface for verifying friends’ keys. iMessage, unfortunately, has a variety of flaws that seriously undermine its security [36]. The Signal Protocol. While there has been a range of activity in end-to-end encryption for instant messaging [31, 68], the most prominent recent development in this space has been the Signal messaging protocol, “a ratcheting forward secrecy protocol that works in synchronous and asynchronous messaging environments” [53, 54]. Signal’s goals include end-to-end encryption as well as advanced security properties such as perfect forward secrecy and “future secrecy”. The Signal protocol, and in particular its ratcheting construction, has a relatively complex history. TextSecure [54] was a secure messaging app and the predecessor to Signal. It contained the first definition of Signal’s “Double Ratchet”, which effectively combines ideas from OTR’s asymmetric ratchet and a symmetric ratchet y An overview of changes can be found in Appendix D. An extended abstract of this paper appears at IEEE EuroS&P 2017. K.C-G. thanks Merton College and the Oxford CDT in Cyber Security for their support. D.S. was supported in part by Australian Research Council (ARC) Discovery Project grant DP130104304, Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2016-05146 and Discovery Accelerator Supplement RGPAS 492986-2016. (which applies a symmetric key derivation function to create a new key, but does not incorporate fresh DH material, similar to so-called “forward-secure” symmetric encryption [11]). TextSecure’s combined ratchet was referred to as the “Axolotl Ratchet”, though the name Axolotl was used by some to refer to the entire protocol. TextSecure was later merged with RedPhone, a secure telephony app, and was renamed Signal1, the name of both the instant messaging app and the cryptographic protocol. In the rest of this paper, we will be discussing the cryptographic protocol only. The Signal cryptographic protocol has seen explosive uptake of encryption in personal communications: it (or a variant) is now used by Google Allo [55], WhatsApp [70], Facebook Messenger [32], as well as a host of variants in “secure messaging” apps, including Silent Circle [57], Pond [51], and (via the OMEMO extension [67] to XMPP) Cryptocat v2 [43], Conversations [24], and ChatSecure [4]. Security of Signal. One might expect this widespread uptake of the Signal protocol to be accompanied by an in-depth security analysis and examination of the design rationale, in order to: (i) understand and specify the security assurances which Signal is intended to provide; and (ii) verify that it provides them. Surprisingly, this is not yet the case. There currently is little documentation available on the current version of the Signal protocol, and no in-depth security analysis, although the developers have recently started work on some specifications for various components of the protocol. This is in stark contrast to the ongoing development of the next version of the Transport Layer Security protocol, TLS 1.3, which explicitly involves academic analysis in its development [14, 26, 30, 42, 46, 52]. Frosch et al. [34, 35] performed a security analysis of TextSecure v3, showing that in their model the computation of the long-term symmetric key which seeds the ratchet is a secure one-round key exchange protocol, and that the key derivation function and authenticated encryption scheme used in TextSecure are secure. However, it did not cover any of the security properties of the ratcheting mechanisms. Providing a security analysis for the Signal protocol is challenging. First, Signal employs a novel and unstudied design, involving over ten different types of keys and a complex update process which leads to various “chains” of related keys. It therefore does not directly fit into existing analysis models. Second, some of its claimed properties have only recently been formalised [23]. 1.1. Contributions We provide the first in-depth formal security analysis of the cryptographic core of the Signal messaging protocol, which is used by more than a billion users. To achieve this, we develop a multi-stage key exchange security model with adversarial queries and freshness conditions that capture the security properties intended by Signal. Compared to previous multi-stage key exchange models which involve a single sequence of stages within each session, our model considers a tree of stages to model the various “chains” in Signal. Our security model characterizes many detailed security properties of Signal, providing the first formal definition of Signal’s security goals. Among the interesting aspects of our model are the subtle differences between security properties of keys derived via symmetric and asymmetric ratcheting. We subsequently prove that the cryptographic core of Signal is secure in our model, providing the first formal security guarantees for Signal. We give a proof sketch in Section 5 and the full proof in Section B.3. Our full proof is in the random oracle model, but we have also outlined the steps required for a proof in the standard model as a delta to the original proof, using (a variant of) the PRF-ODH assumption. As our proof is essentially a case distinction, the latter addition is not only arguably using a more plausible cryptographic assumption, but also provides more concrete analysis of the different security guarantees depending on how a message key is derived in the Signal Protocol. In practice, Signal is more than just its key exchange protocol. In Section 6, we describe many other aspects of Signal that are not covered by our analysis, which we believe are a rich opportunity for future research. We hope our presentation of the protocol in Section 2 can serve as a starting point for understanding Signal’s core. 1.2. Additional Related Work Symmetric ratcheting and DH updates (asymmetric ratcheting) are not the only way of updating state to ensure forward secrecy—i.e., that compromise of current state cannot be used to decrypt past communications. Forward-secure public key encryption [20] allows users to publish a short unchanging public key; messages are encrypted with knowledge of a time period, and after receiving a message, a user can update their secret key to prevent decryption of messages from earlier time periods. Signal’s asymmetric ratcheting, which it inherits from the design of OTR [16], have been claimed to offer properties such as “future secrecy”. Future secrecy of protocols like Signal has been discussed in depth by 1. TextSecure v1 was based on OTR; in v2 it migrated to the Axolotl Ratchet and in v3 made some changes to the cryptographic primitives and the wire protocol.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages43 Page
-
File Size-